14 DAY TRIAL // Researchers from antivirus vendor Sophos warn that, during March, the operations of several rather popular websites hosted on legit domains could be affected by the update routines of the Conficker worm. The list includes a domain belonging to Southwest Airlines.
The Conficker worm is one of the most successful worms in history and infected some 12 million hosts world-wide at its peak. Security experts estimate that the active Conficker botnet is composed of between 2 million and 3 million compromised machines, at any given time.
The routines of the worm's B variant, which also had the most success propagating, involve contacting control and command servers daily in order to receive updated instructions. However, the real purpose of Conficker, also known as Downadup or Kido, continues to baffle researchers, as no commands have yet been sent by its creators to the botnet, which in theory could be used for spam sending and launching DDoS attacks.
Mike Wood, security analyst at SophosLabs Canada, warns that denial of service attacks, regardless of being intended or not, will occur as a result of Conficker. This is because the worm automatically generates a list of 250 domain names every day according to an algorithm, which it then uses to call home for updates. Unfortunately, these lists of randomly-generated domain names are bound to include some that are already registered and belong to legit organizations and companies.
"A legitimate domain that happens to make it into the Conficker call-home list is a problem for two reasons. First, without proper investigation, they may end up on a blocklist and prevent users from accessing their services. Secondly, those millions of Conficker infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack," Mr. Wood explains.
Malware analysts have already reverse-engineered the domain name generation algorithm and are able to predict the list of domains in advance. Microsoft is leading an operation in collaboration with several ISPs and cybercrime-fighting organizations that aims to prevent the likely misuse of the botnet by registering these domains before the Conficker creators do.
The Sophos researcher notes that, from the list of 7750 domain names that the worm will generate in March, around 3889 are active. Furthermore, from the 3889 active domains, 3861 point to IP addresses controlled by the Microsoft-led anti-Conficker "cabal." This leaves 28 active domains, which belong to other parties.
Upon investigation, it has been revealed that wnsux.com, a domain that the botnet is scheduled to contact on March 13, is owned by Southwest Airlines and redirects visitors to a page, southwest.com, displaying a message, which informs that the company "wants to control the release of inaccurate and irresponsible information about the Company via the Internet."
Another website that will be targeted on March 8 is jogli.com, an online music streaming service. Others include qhflh.com (Women’s Net in Qinghai Province, China), on March 18, and praat.org (the home of the Praat phonetics application), on March 31.
The owners of the to-be-affected domain names have been notified of the upcoming danger and have enough time to come up with a solution for preventing any DDoS. Southwest Airlines seems to have already taken wnsux.com down, however mitigation on the rest of the domains will not be that simple.